Re: Question about TSIG, AD/AA, and AXFR

[Edward Lewis <lewis@tislabs.com>]

At 12:40 AM -0400 7/17/01, Brian Wellington wrote:
>Are you talking about the stub resolver directly contacting a secondary?
>It should be going through a recursive server, and the recursive server
>will validate the data.  If the data on the secondary has been corrupted
>or maliciously altered, the recursive server will fail to verify it.

Yeah.  I am assuming that the "client" in this case isn't able to establish
a chain of trust (no code to do so or at least no configured key).  Perhaps
the "secondary" is also the "default/recursive" server for the client, or
that the client has a configured relationship with the authoritative
servers.

>About the worst can happen is that the secondary can serve data that's no
>longer in the zone but still valid, but the same thing can happen with any
>caching server.

If the client (I'll use that term) is relying on TSIG, they aren't likely
to do signature validation.  (Perhaps we should recommend that TSIG queries
be issued with the DNSSEC indication off.)

There is also the push to adopt TSIG ahead of signing zones.  I can see a
lot of zones using TSIG in limited runs well ahead of signing the zone - as
folks first see the benefit of TSIG, then see how hard it is to manage
secerts, and then discover the benefit of scaleable but more intensive
public key efforts.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                NAI Labs
Phone: +1 443-259-2352                      Email: lewis@tislabs.com

You fly too often when ... the airport taxi is on speed-dial.

Opinions expressed are property of my evil twin, not my employer.




to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.